Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/dataease/SQLBot/llms.txt

Use this file to discover all available pages before exploring further.

SQLBot uses a three-tier permission model: a global admin account at the top, workspace admins who manage a single workspace, and regular members who use the platform day-to-day. Every API call and UI action is gated against this hierarchy, so understanding who can do what helps you design a secure, well-organised deployment.

Role hierarchy

Global Admin
└── Workspace Admin (one per workspace)
    └── Regular Member
Roles are not exclusive: the global admin implicitly has all workspace admin capabilities everywhere. A user can be a workspace admin in one workspace and a regular member in another.

Global admin

There is one global admin account in SQLBot: the built-in admin account (username admin, database ID 1). This account is created at installation time and cannot be deleted.
The global admin bypasses all workspace-level permission checks. Any endpoint decorated with role=['admin'] or role=['ws_admin'] grants the admin account unconditional access.
What the global admin can do:

User management

Create, edit, activate, deactivate, and delete any user account. Reset passwords. Batch-import users from Excel.

LLM model management

Add, edit, test, and delete AI models. Set the system-wide default model used for SQL generation.

Workspace management

Create, rename, and delete workspaces. Assign users to any workspace with any role. The default workspace (ID 1) cannot be deleted.

Datasource management

Add and configure datasources in any workspace. View and modify connection settings across all workspaces.

System settings

Access all global parameter settings, view the audit log, manage API keys, and configure authentication providers.

Audit log

View operation logs for all users across all workspaces, including login events, query execution, and configuration changes.

Workspace admin

A workspace admin is a regular user whose weight is set to the admin level within a specific workspace. Unlike the global admin, their elevated permissions apply only inside the workspace where they hold that role. What a workspace admin can do:
  • View all members of their workspace.
  • Add existing users to their workspace.
  • Remove users from their workspace.
  • Promote or demote other members within their workspace.
  • Manage datasources assigned to their workspace.
What a workspace admin cannot do:
  • Access System Settings (users, global LLM models, global parameters).
  • Create new user accounts.
  • Manage workspaces other than their own.
  • Change another user’s password.
  • View the global audit log.
Workspace admins who attempt to access admin-only endpoints receive a "only admin can perform this operation" error.

Regular member

Regular members are the default role for all newly created users. They have read and write access to resources within their currently active workspace, but no administrative capabilities. What a regular member can do:
  • Send messages in the chat interface and receive SQL-generated results.
  • View and query all datasources assigned to their current workspace.
  • Switch between workspaces they have been assigned to.
  • Change their own display language and password.
  • Generate and manage their own API keys.
What a regular member cannot do:
  • View users, workspaces, or datasources outside their active workspace.
  • Access System Settings in any capacity.
  • Add or remove other users from workspaces.
  • Configure or delete AI models.

Workspace isolation

Workspaces are the primary boundary for data access in SQLBot. When a user switches their active workspace, the datasources, conversations, and assistants visible to them change completely. A user with memberships in multiple workspaces cannot mix resources across them. Workspace isolation is enforced at the API level: every request that accesses a datasource or conversation is validated against the requesting user’s current workspace ID (oid). If the resource does not belong to that workspace, SQLBot returns a "permission resource limit" error — not a 404.

How to promote a user to workspace admin

1

Navigate to the workspace

Go to System Settings → Workspaces and select the workspace where you want to promote the user.
2

Open the Members tab

Click the Members tab to see everyone currently assigned to the workspace.
3

Change the user's role

Find the user in the list and change their role from Member to Workspace Admin. The change takes effect immediately — their session cache is cleared and the next request they make will use the new role.

Permission reference

The table below summarises which actions each role can perform.
ActionGlobal adminWorkspace adminRegular member
Create/delete user accountsYesNoNo
Activate/deactivate usersYesNoNo
Reset user passwordsYesNoNo
Add LLM modelsYesNoNo
Set default LLM modelYesNoNo
Create/delete workspacesYesNoNo
Add members to workspaceYesYes (own workspace)No
Remove members from workspaceYesYes (own workspace)No
Promote members to workspace adminYesNoNo
Manage datasources (any workspace)YesYes (own workspace)No
View global audit logYesNoNo
Use chat / run SQL queriesYesYesYes
Change own password and languageYesYesYes
Manage own API keysYesYesYes

Build docs developers (and LLMs) love

Get started for freeTalk to us